123456 and other things that shouldn't be your password

by November 5, 2013 1:00PM ET
What Adobe's data breach of 150 million accounts tells us about the risks we take on when we sign up for online services
Topics:
Technology
Privacy

Creating passwords to online accounts, and prompts by which to remember them, has become part of everyday life. Yet each time we create a user account, we place our trust in the service provider and in the provider’s security protocols to protect these usernames, passwords and other personal data attached to the account.

On Oct. 3, Adobe announced that cyberattackers had accessed account information, including customer IDs and encrypted passwords, of 2.9 million users. Password-protected accounts are required for use of current versions of such popular Adobe software as Photoshop, Illustrator and Premiere. A few weeks later, the company raised its estimate of the number of affected users to 38 million. According to Adobe spokesperson Heather Edell, these were “users with valid email addresses who have created an Adobe ID — or who have logged in with an Adobe ID — within the past two years.”

Adding insult to injury, hackers last week circulated on several public forums a data set that they believe contains 10 GB of Adobe user account data. Adobe has not confirmed that this data set is its own. "Our investigation is ongoing," Edell said.

What the data looks like

Each row contains a unique user ID, email address, encrypted password and password hint.

102######-|--|-xxxxxx@yahoo.com-|-g0s+82jVl+Q=-|-1to6|--
106######-|--|-xxxxx@xxxxxxxxx.com.au-|-9p235HdvLjQa8356sD+j0g==-|-numeros 1-9|--
unique user ID: 102###### email address: xxxxxx@yahoo.com encrypted password: g0s+82jVl+Q= password hint: 1to6
Source: Data courtesy of Nicholas Semenkovich

Al Jazeera America obtained a copy of this data set, which contains information from what appear to be nearly 150 million accounts, including more than 130 million encrypted passwords and more than 43 million password hints — questions or phrases designed to prompt the user to remember a forgotten password.

How much data is there?
People: 149.98 million
Passwords: 130.33 million
Hints: 43.76 million

The Adobe data breach shows just how vulnerable consumers are when signing up for an online account. Once stolen, this kind of data is often sold to underground communities, where hackers analyze it, crack the passwords and can potentially use the information to commit identity fraud. The data also reveals just how careless many users are in choosing their account settings — which makes not just themselves, but also others in the database, vulnerable to identity fraud.

“It's really quite difficult for consumers to evaluate the security practices of the company that they do business with," said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, which seeks to educate people about privacy issues. “Unfortunately, consumers are largely powerless when the data is in the hands of third parties beyond their control.”

Everyone knows that it’s imperative for users to be careful with their passwords and password hints. But not all consumers are.

While it still takes considerable technical knowledge to decrypt passwords, carelessly chosen hints often provide an easier way to crack an account. Once a hacker knows both the password and the associated hint, she or he can be very destructive.

There are many hints that can easily give away a password. For example, Al Jazeera found that many password hints appear to be identical to the password itself — a person using “password123” as a hint might have set the password itself to be “password123.”

Rows of data where the password hint could be the password
unique user ID-|--|-email address-|-encrypted password-|-password hint|--
65######-|--|-xxxxxxx_xxxx@hotmail.com-|-F/f6AiL93+r/u/+kKjHEMQ==-|-5131980y|--
72######-|--|-xxxxxxxxxxx@xxxxx.com-|-sDGKj4wt9VhQ0v92jz+58w==-|-rickst1982|--
85######-|--|-xxxxxxxx@xxx.it-|-8TnzvOioQ39boj+/1F18VQ==-|-hello12|--
85######-|--|-xxxxx.xxxx@xxxxxxxxxx.fi-|-+3pRaC28lRk=-|-passw1|--
119######-|--|-xxxxxxxxxxxxx@gmail.com-|-MdaJ723AalmV8+07mnrzPQ==-|-*password123*|--
unique user ID email address encrypted password password hint
115###### xxxxxxx_xxxx@hotmail.com F/f6AiL93+r/u/+kKjHEMQ== 5131980y
111###### xxxxxxxxxxx@xxxxx.com sDGKj4wt9VhQ0v92jz+58w== rickst1982
85###### xxxxxxxx@xxx.it 8TnzvOioQ39boj+/1F18VHQ= hello12
85###### xxxxx.xxxx@xxxxxxxxxx.fi +3pRaC28lRk= passw1
119###### xxxxxxxxxxxxx@gmail.com MdaJ723AalmV8+07mnrzPQ== *password123*

Password hints in the leaked data set included “bank account password” or “my social security number,” which would allow the hacker to access much more than the victim’s Adobe account.

“It contains accounts that have gone back a while. So people might not even remember that five, six years ago they created an Adobe account,” said Jeremi Gosney, founder and password expert at Stricture Consulting Group.

Rows of data containing sensitive information
unique user ID-|--|-email address-|-encrypted password-|-password hint|--
87######-|--|-xxxxxxxxxx@xxxx.net-|-vgmLc10Q2l9foqP1McaIRg==-|-BIRTHDATE PLUS SOCIAL|--
89######-|--|-xxxxxxxxxxxxxxx@aol.com-|-9MxRlQci27Y=-|-social security number|--
89######-|--|-xxxxxxxxxxxxxx@aol.com-|-oqw3voqBC5f=-|-what is my social security number|--
96######-|--|-xx@xxxxxxxx.xxxx.edu-|-UM/Tc8lGKFl=-|-social security number|--
108######-|--|-xx.xxxx@us.army.mil-|-jgnq6vl1BW8kqhC7GjkGPw==-|-social security plus two|--
unique user ID email address encrypted password password hint
87###### xxxxxxxxxx@xxxx.net vgmLc10Q2l9foqP1McaIRg== BIRTHDATE PLUS SOCIAL
89###### xxxxxxxxxxxxxxx@aol.com 9MxRlQci27Y= social security number
89###### xxxxxxxxxxxxxx@aol.com oqw3voqBC5f= what is my social security number
96###### xx@xxxxxxxx.xxxx.edu UM/Tc8lGKFl= social security number
108###### xx.xxxx@us.army.mil jgnq6vl1BW8kqhC7GjkGPw== social security plus two

Other passwords in the data set suggested that the password was information easily found across multiple social media channels, such as the name of the user’s mother, father or pet.

Rows of data containing easily identifiable information
unique user ID-|--|-email address-|-encrypted password-|-password hint|--
86######-|--|-xxxxxxxxxxx@xxxx.edu-|-xGLEo4HQcF9=-|-high school|--
93######-|--|-xxxxxxxxxx@gmail.com-|-jqvbh45Gr68=-|-mom|--
106######-|--|-xxxxxxxx@yahoo.com-|-Htag28vf5fK62vyaHhF8ng==-|-kids birthplace|--
106######-|--|-xxxxxx@xxxxxxxxxx.com.au-|-+hgSjwHWgHgocgW6AfgSJw==-|-namecompany|--
108######-|--|-xxxxxxxxxxx@hotmail.com-|-huUgwIdKSNb=-|-1st dog|--
unique user ID email address encrypted password password hint
86###### xxxxxxxxxxx@xxxx.edu xGLEo4HQcF9= high school
93###### xxxxxxxxxx@gmail.com jqvbh45Gr68= mom
106###### xxxxxxxx@yahoo.com Htag28vf5fK62vyaHhF8ng== kids birthplace
106###### xxxxxx@xxxxxxxxxx.com.au +hgSjwHWgHgocgW6AfgSJw== namecompany
108###### xxxxxxxxxxx@hotmail.com huUgwIdKSNb= 1st dog

Al Jazeera ranked some of the most popular password hints here:

Password HintOccurrence
dog 558,846
name 479,010
usual 386,525
?? 328,212
???? 303,633
same 242,067
me 241,786
??? 232,840
cat 227,811
son 183,748
daughter 180,818
nickname 165,432
pet 142,438
????? 140,613
normal 139,740

If passwords from this data set are exposed, again, more than just Adobe accounts are at stake. A user could be employing the same password across different accounts, including online bank accounts. If you set your Social Security number as your password, a hacker could use it to apply for a loan or credit card. In essence, all this information makes consumers vulnerable to identity fraud.

Since the data was published, password researchers and security enthusiasts have been trying to determine Adobe’s method of encrypting user passwords.

Gosney obtained a copy of the data set early last week. Along with two other password researchers, he was able to determine the way Adobe encrypted its passwords in the leaked data set. He has not been able to reverse-engineer all the original passwords yet, but based on the password hints and other analysis, he was able to crack passwords for a sizeable chunk of the user database.

Adobe used a method in which each password was encrypted with the same encryption key. As a result, 1.9 million people who used the same password would have the same encrypted password. This differs from other methods of password storage in which identical passwords would have different encrypted passwords.

While the public data set did not come with the Adobe encryption keys that can transform all encrypted passwords back into their original forms, it is very possible that the attackers who stole the data could also have taken the keys when they accessed the company’s system.

“They had access to these systems for quite a while,” Gosney said. “So it’s not unreasonable to say that they also stole encryption keys for these passwords. Almost guaranteed that they stole the encryption keys as well.”

Think like a hacker: Can you crack the password?

In this data set, Adobe used a password encryption method that obscures all passwords using the same encryption keys. This means that if one user has the same password as another, their encrypted passwords will be identical. Here are the most common passwords found in the Adobe data set.

Encrypted Password:
g0s+82jVl+Q=
(used by 1,911,938 people)
9p235HdvLjQa8356sD+j0g==
(used by 446,162 people)
F6bgHQ3ms7kjrvU2McpHAw==
(used by 345,835 people)
Password Hints:
16
654321
123
numeros
Numeros de 1 a 6
numbers
1~6
unohex
numeri da1 a 6
sequence
Best guess: 123456.
Congratulations! You just cracked more than 1.9 million passwords.
1-9nr
NUMbERS
numeros 1-9
1-9
zahl von 1 bis 9
all nine numbers
1234756789
1mod9
1al9
123456789n
Best guess: 123456789.
Congratulations! You just cracked more than 446,000 passwords.
what is p-word
what are u looking for
p-word
p word
? password
pw
pass
obvious
what it is
normal
Best guess: password.
Congratulations! You just cracked more than 345,000 passwords.
Show me the decrypted password

Adobe has been using a different, and more secure, method for encrypting passwords for the past year, according to Edell. That method is SHA-256, a national standard for hashing.

Users can make it harder for hackers to get their information by using passwords that are less traceable. Fraud experts, such as private investigator Jimmie Mesis, suggest using information like one's favorite food — which is harder to guess than the name of a parent — as part of a password. He also recommends using different passwords for different accounts. But ultimately he believes that data breaches are inevitable now.

"You're becoming accustomed to the new norm. And the new norm is that all data is subject to be hacked," said Mesis. "Expect that you'll be compromised."

Additional reporting contributed by Lam Thuy Vo.
Note: For privacy purposes, example data in this article was randomly generated but accurately represents the look and feel of the original data set.

Find Al Jazeera America on your TV